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Abstract. DC has proved to be a promising tool for the specification 
and verification of functional requirements on the design of hard real- 
time systems. Many works were devoted to develop effective techniques 
for checking the models of hard real-time systems against DC specifi- 
cations. DC model checking theory is still evolving and yet there is no 
available tools supporting practical verifications due to the high undecid- 
ability of calculus and the great complexity of model checking. Present 
situation of PDC model checking is much worse than the one of DC 
model checking. In view of the results so far achieved, it is desirable to 
develop approximate model checking techniques for DC and PDC spec- 
ifications. This work was motivated to develop approximate techniques 
checking automata models of hard real-time systems for DC and PDC 
specifications. Unlike previous works which only deal with dccidable for- 
mulas, we want to develop approximate techniques covering whole DC 
and PDC formulas. The first results of our work, namely, approximate 
techniques checking real-time automata models of systems for LDI and 
PLDI specifications, are described in this paper. 



1 Introduction 

Functional requirements and dependability requirements are two kinds of top- 
level requirements on the design of computing systems which include software 
embedded hard real-time systems. The functional requirements express what a 
system must be able to do and what it must not do. The dependability require- 
ments express that the probability for undesirable but unavoidable behavior of 
a system must be below a certain limit. 

Duration Calculus (abbreviated to DC) was introduced in [1] as a logic for 
specifying quantitative timing requirements of hard real-time systems and fully 
analyzed in [2, 3]. DC has strong expressive power specifiable hard real-time 
requirements of systems, but its formulas are highly undecidable [4]. Linear du- 
ration invariants (abbreviated to LDIs), a decidable subclass of DC formulas, 
is useful to specify constraints on the durations of states in the systems [5]. A 
major interest of researchers in DC model checking was to develop effective tech- 
nique checking timed automata against LDIs and many works were devoted to 
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deal with it [6, 7, 8, 9, 10]. But the algorithms developed so far need compli- 
cated preprocessing and huge amounts of computation as well as do not support 
debugging effectively, although they allow complete verifications in theoretical 
terms. 

Several researchers defined variants of DC and proposed techniques checking 
timed state scqiience models against some decidable fragments of their calculi 
[11, 12, 13, 14, 15]. But the complexity of model checking any decidable fragment 
featuring both negation and chop, DCs only moldality, is non-elementary and 
thus impractical [15]. Even worse, when such decidable fragments are generalized 
just slightly to cover more interesting durational constraints the resulting frag- 
ments become undecidable [15]. DC model checking theory is still not completed 
satisfactorily to meet the basic standards for practical application. 

Naturally probabilistic extension of DC, which is called PDC, was studied 
to specify and verify dependability requirements of hard real-time systems [16, 
17]. Some researchers tried to develop a technique checking probabilistic timed 
automata against so-called probabilistic linear duration invariants (abbreviated 
to PLDIs) of their calculus called PDC in their paper [18]. Their study did not 
show considerable results from the complexity point of view, as they noted in 
their paper. 

DC and PDC which deal with good models and specifications of real-time 
systems will be more useful in the design of hard real-time systems if the effective 
model checking techniques would be available. To the best of our knowledge, very 
few research results showing the applications of DC model checking in practice 

were reported until now. 

This work was motivated to develop approximate model checking tools for 
the verification of automata models of real-time systems against DC and PDC 
specifications. Approximate model checking is achieved by generating a large 
number of random paths through the model, evaluating each path for given 
property, and using the resulting information to generate approximately correct 
result. Approximate model checking gives the possibility of handling the diffi- 
cult problems faced in DC and PDC model checking, such as huge amount of 
computation and weak debugging capability, as well as gives the possibility of 
applying undecidable formulas in system verifications. We think that approxi- 
mate model checking can be a better way to use DC and PDC in the verifications 
of hard real-time systems than normal model checking, because DC and PDC 
have strong expressive powers, but they are highly undecidable and the cost of 
model checking is too high. 

In this paper, we describe our first result by concentrating on showing main 
idea and its advantage through simple but typical cases of DC and PDC model 
checking. The rest of the paper is organized as follows. In the next section, we 
present an approximate technique checking real-time automata against LDIs us- 
ing genetic algorithm. In section 3, we present an approximate technique checking 
probabilistic real-time automata against PLDIs, which is based on the technique 
of section 2. In section 4, we explain about future work. 
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2 Approximate Technique Checking Real-time Automata 
for LDIs 

In this section, we present a technique checking real-time automata against LDIs 
approximately, based on the genetic algorithm. Genetic algorithm is a good ap- 
proach to search near-optimal solution, when the problem is so complicated that 
seeking optimal solution is practically impossible. For our purpose, we define sat- 
isfaction relation between a real-time automaton and a LDI slightly differently 
from other papers, but equivalently in essence. Then, we develop a technique 
checking real-time automata for LDIs approximately and give an example show- 
ing the effectiveness of our technique. At the end of the section we give a remark 
on our technique. 



2.1 Satisfaction relation betv^reen a real-time automaton and a LDI 

Definition 1. A real-time automaton Ad is a triple A4 = (S", T, L) consisting 
of a finite set S of states, a transition relation T C S x I x S , and a labeling 
function L : S ^ 2^^ assigning a set of atomic propositions to each state s S. 

Here, / is the set of closed interval [a, b] or semi-infinite interval [a, oo) on 
R+. For the convenience, we simply denote these intervals by [*,*]. Every state 
of a real-time automaton is both initial state and accepting state. AP is the set 
of atomic propositions which is differently decided according to the system. A 
real-time automaton has one clock which is reset by every transition. 

Example 1. Gas burner is a device to generate a flame to heat up products using 
a gaseous fuel. If the flame fails to be on with gas valve is opened, gas leaks. 
Sensor should detect gas leak and close the gas valve within one second. Then 
gas valve should not be open within 30 seconds to protect accumulation of gas 
leakage. Gas may leak again without flame being on at any time after valve is 
open. The left of Fig. [l] shows real-time automaton model of gas burner. Leak 
and NLeak are used to denote atoms of gas burner. 
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Fig. 1. Left: Real-time automaton model of gas burner. Right: Probabilistic real-time 
automaton model of gas burner. 
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For a transition p — (s, [a, 6],s') of A^, notations ^ = s and ~ff — s' 
axe used. piP2---Pm is called a sequence and {pi,ti){p2,t2)-..{pm,tm,) is called 
a time-stamped sequence, where pi = (s^, [ai,6i],Sj) and S [0^,6^] for all i{i < 
i < m). Seq and TSeq are used to denote sequence and time-stamped sequence 
respectively. If a sequence piP2---Pm satisfies = Vi+i foi' alH (1 < i < m), it is 
called a behavior and denoted by Beh = pip2---Pm- If a time-stamped sequence 
{pi,ti){p2,t2)---{pm,tm) Satisfies T^t = Vi+i for all z (1 < i < m), it is called a 
time-stamped behavior and denoted by TBeh — (pi, ti)(p2, i2)---(Pm, ^m)- 

Definition 2. A DC formula of the form A < £ < B ^ X]"=i ■ J < C is 
called a linear duration invariant. 

Here, each Pi(l < i < 71) is an atomic proposition, A and B are nonnegative 
real numbers, B could be 00, Ci{l < i < n) and C are real numbers [5]. LDI 
says that if the length of observation time interval over Ai is between A and i?, 
the durations of system sates over that interval should satisfy linear constraint 
Y^7=i ' I — ^- Formal semantics of LDI is given in the definition 3. 

Let TBEH be the set of all TBeh = (pi, ii)(p2, ^2)---(Pm, tm) ofM. Function 
L : TBEH M+ is defined as L{TBeh) = X)JLi ^j - For each atomic proposition 
P(e AP) of M, function / P : TBEH M+ is defined as 

/^(™)=S.-{o^ ftherle}- 

/ P{TBeh) calculates total duration of P-states on TBeh, where P-state is the 
state in which P is labeled. For an instance, if TBeh = (pi, 3.1)(p2, 2.0)(p3, 1.5) 
and P is labeled on the states pi and then j P{TBeh) =3.1-1- 1.5 = 4.6. Let 
I? be a linear duration invariant over Al . Function LF : TBEH — > M+ is defined 
as LF{TBeh) — J^^^i ' / Pi{TBeh). LF is the function calculating the value 
of linear term X]r=i Ci- J Pi oiT> for each TBeh. Based on these definitions, the 
satisfaction relation between a real-time automaton A4 and a LDI 2? is defined 
as follows. 

Definition 3. LDI TJ is satisfied by real-time automaton M, denoted hy Ai \= 
V, iff A< L{TBeh) < B implies LF(TBeh) < C for all TBeh of M. 

Example 2. Fan is installed to protect self-ignition of accumulated gas leakage 
in gas burner. However, frequent gas leak may cause self-ignition as the ability 
of fan is limited. A desirable real-time requirement of gas burner is that the 
proportion of total gas leak time is not more than one twentieth of elapsed time, 
if the system is observed for more than one minute. This real-time requirement 
can be specified using LDI as follows. 

^ > 60 ^ 19 • / Leak - / NLeak < 

Here, 19 • / Leak — J NLeak < is derived from J Leak < (1/20) • £ by substi- 
tuting £ — J Leak + J NLeak. 
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2.2 Approximate Technique Checking Real-time Automata for 
LDIs 

Mathematically, checking a real-time automaton A4 for a LDI V is to solve the 
following optimization problem. 

Find out the maximum of LF over {TBeh\A < L{TBeh) < B}. 

If the maximum value of the function LF is smaller than or equal to C, then 
V is satisfied by real-time automaton M. Unlike previous methods, we check A4 
approximately rising genetic algorithm without any complicated preprocessing 
and impractical computation. Genetic algorithm works especially well, when the 
fitness function is linear like LDI. In this subsection, we describe an approximate 
technique checking real-time automata for LDIs, which is based on the genetic 
algorithm. We assume that readers have elementary knowledge about technical 
procedures of genetic algorithm. Given a real-time automaton A4 and a LDI V. 

Encoding. 

A time-stamped transition {p,t), where p = {s,[a,b],s') and t G [a,b] is 
a gene and a time-stamped behavior {pi,ti){p2,t2)---{pm,tm) is a chromosome 
(individual). 

Fitness function. 

The linear function LF defined in subsection 2.1 is used as the fitness function. 
LF calculates the value of linear term J2^=i • J Pi oi V for each individual 

{pl,tl){p2,t2)--iPm,tm)- 

Initialization. 

The set BEH of all behaviors of M. can be expressed as the union of reg- 
ular expressions consisting of concatenation and Kleene closure on the alpha- 
bet T. For example, the set BEH of the behaviors of gas burner can be ex- 
pressed as BEH = pi{p2Pi)* U p2{piP2)* U pi{p2Pi)* P2 U p2{piP2)* P\, where 
Pi = (si, [30, oo], S2) and p2 = (s2, [0, 1], si) . Therefore, it's better to choose 
individuals uniformly from each component of union for quick and uniform ex- 
pansion of search space, when we create initial population and generate new 
population. 

Selection operation. 

Elitist preserving selection which retains the best individuals in a generation 
unchanged in the next generation is used. 

Mutation operation. 

Mutation is realized by altering a gene [p, t) with another gene (p, t') where 
p = {s,[a,b],s') and t,tl e [a,b]. Multi-point mutation can be used for rela- 
tively long individuals. Applications of mutation operation expand the breadth 
of search space. 

Cut and splice operation. 

Cut and splice produces two new individuals from two individuals having 
same gene, by swapping each sufiix beyond the selected gene. 
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Genetic algorithm checking a real-time automaton for a LDI is composed as 
follows. 

Step 1: 

Using initialization method described above, create initial population P(0) 
consisting of N individuals and satisfying A < £{TBeh) < B for each individual. 

Step 2: 

Evaluate fitness of each individual. If LF{TBeh) > C for some individual 
TBeh, terminate the algorithm with output A4 ^V. (Note that counter example 
TBeh is used for debugging.) 

Step 3: 

Generate population Q by applying genetic operations to current population 
P{n). Remove all individuals not satisfying A < l{TBeh) < B from Q and add 
new individuals satisfying A < £(TBeh) < B as many as the number of removed 
individuals. 

Step 4-' 

Generate new population P{n+1) from Q by changing the least-fit individuals 
of Q with the best-fit individuals of P{n). 

Step 5: 

Repeat step 2-4 until the best-fitness value is settled in the sequence of pop- 
ulations or n is reached to the maximum. 

2.3 Experiment and Remark 

We applied our genetic algorithm to check the real-time automaton of Example 
1 against the LDI of Example 2. Encoding and fitness function were decided 
according to the above method. Initial population was created by choosing in- 
dividuals from pi(p2Pi)*,P2(piP2)*,Pi(p2/3i)*P2 and p2{piP2)* Pi randomly but 
uniformly. We executed our genetic algorithm 10 times by changing parameter 
N between 80-100, P„i between 0.1-0.3 and Pd between 0.4-0.6. Here, Pm is a 
probability of mutation and Pa is a probability of cut and splice. Termination 
condition was n=50. The best fitness was reached to -3 or nearly -3 in each exe- 
cution. From this, we could estimate the maximum of 19- / Leak — J NLeak is -3 
which is much smaller than C=0. Consequently, we could confidently conclude 
that real-time requirement ^ > 60 — >■ 19 • / Leak — J NLeak < is satisfied by 
gas burner model of Example 1. 

The approximate technique of this section neither require complicated pre- 
processing nor need impractical calculation. It also has the advantage of finding 
out counter examples violating requirement specification, which is achieved by 
applying algorithm repeatedly. In case that the maximum of LF is different 
from C, it certainly demonstrates same effect with normal model checking. But 
it is nc!c;dcd more executions of algorithm to get enough information about the 
maximum of LF in opposite case. Our technique does not largely depend on the 
increase of state number of system model as the fitness function is linear. 
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3 Approximate technique checking probabilistic real-time 
automata for PLDIs 

To specify the dependability requirements of real-time systems, a kind of proba- 
bilistic extension of DC has been introduced in [16, 17]. No rigorous syntax has 
been introduced in these papers, and the authors just focused on the develop- 
ment of techniques for reasoning instead of checking. In [18], authors introduced 
probabilistic duration calculus (abbreviated to PDC) which is a conservative 
extension of DC and defined its semantics using behavioral of [20]. They also 
considered the decidability of a class of PDC formulas, so-called probabilistic 
linear duration invariants (abbreviated to PLDIs), and presented a technique 
checking probabilistic timed automata against PLDIs. But the chekcing algo- 
rithm has too high complexity, as the authors noted in their paper. 

In this section, we present an approximate technique checking probabilistic 
real-time automata against PLDIs, which uses the technique presented in section 
2. For the convenience of approximate model checking, we define the satisfaction 
relation between a probabilistic real-time automaton and a PLDI differently from 
[18] but equivalently in essence. 

3.1 Satisfaction relation between a probabilistic real-time 
automaton and a PLDI 

A discrete probability distribution over a set S" is a mapping p : — > [0, 1] such 
that the set {s\s e S,p{s) > 0} is finite and J2sesP(^) ^ ^- "^^^ '^^ 
discrete probability distributions over S is denoted by Soist- 

Definition 4. A probabilistic real-time automaton M is a triple Ai = (S^D^L) 
consisting of a finite set S of states, a probabilistic transition relation D : S 
^Dist X I, o.fid a labeling function L : S 2^^ . 

Every state of a probabilistic real-time automaton is both initial state and ac- 
cepting state. The discrete probability distribution corresponding to s is denoted 
by Ps- 

Example 3. Realistic gas burner has probabilistic characteristics because senor 
may fail to detect flame in some cases. From the dependability point of view, gas 
burner can be modeled as a probabilistic real-time automaton as follows. (See 
the right of Fig. [l]) 

S = {S1,S2} 

D{si)^Ps, X [30,oo],p,,(si) =0.9,p,,(s2) =0.1 
D{s2)=Ps, X [0,l],p,,(si) =0.8,p,,(s2) = 0.2 
L{si) — NLeak, L{s2) = Leak 

p = {s,ps{s'), [a, 6], s') is called a transition and [p, t) is called a time-stamped 
transition, where t e [a, 6]. For example, p = (si,0.1, [30,cx)],S2) is a transition 
and (p, 31) is a time-stamped transition of the probabilistic real-time automaton 
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of Fig. 1. pip2...pm--- is called an infinite behavior and denoted by Beh, if = 
pi+i for all i > f. piP2---Pm is called a finite behavior, if pt = jfe+i for all 
i = 1,...,TO— 1. {pi,ti){p2,t2)---{pmitm)--- is Called an infinite time-stamped 
behavior and denoted by TBeh, if pip2...pm--- is an infinite behavior and {pi, ti) 
is a time-stamped transition for each i > 1. {pi,ti)(p2,t2)...{prrntm) is called 
a finite time-stamped behavior, if pip2---Pm is a finite behavior and (pi,ti) is a 
time-stamped transition for each i = 1, ...,m. 

BEH{s) denotes the set of all infinite behaviors satisfying ^ = s. BEH{s) 
can be expressed as a tree structure, denoted by Gbeh(s) - For example. The left 
of Fig. [2] shows the tree expression Gbeh{si) of BEH{si) of the probabilistic 
real-time automaton described in example 3 (The right of Fig. f). Gbeh{s) can 
be identified with BEH(s) and we mainly use Gbeh{s) for the convenience of 
description. The infinite behaviors of a probabilistic real-time automaton A4 = 
{S,D,L) can be completely expressed using j^l distinct tree expressions. 




Fig. 2. Left: Tree expression Gtbeh(si) of gas burner. Right: Calculation tree Ts-^ of 
gas burner. 



Time-stamped instance of Gbeh{s), that is, the one which is obtained by 
changing each time interval of Gbeh(s) with a time point of that interval, is de- 
noted by Gtbeh{s) or simply TBEH{s). The probabilistic structure {Grpg^^^^y 
Ftbeh(s),Ptbeh(s)) is defined on Gtbeh(s) as follows. 

— Grpg^j^f^^^ is defined as the set of all infinite paths of Gtbeh(s)i starting 
from the root s. 

— We denote the set of infinite paths of Grpg^^^^y which have same prefix 
{pi,ti)ip2,t2)--iPm,tm), denote by 0'(pi,ti)(p2,t2)...(p™,t™)- Here, we consider 
si S2 S3 S4... as {pi,ti){p2,t2)ip3,t3) . . . where ^ = s^. 
FrpBEH(s) is defined as the smallest u-algebra generated by the set of all 

0'(pi,tl)(p2,t2)...(p,„,t™)- 
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— The probabihty measure Ptbeh{s) on Ftbeh{s) is the unique measure such 

that PTBEH(s){<^{piM){P2M)-(Pr,.,t^)) = Pi X P2 X . . . X p^n-l 

Note that the probabihstic structure {Grpg^^^f^^y Ftbeh(s),Ptbeh(s)) does 
not depend on the time stamps. To study temporal and probabilistic behaviors 
of a probabilistic real-time automaton, we resolve Gbeh(s) into time-stamped 
instances and then study probabilistic behavior of each instance. 

Definition 5. A PDC formula of the form [D]-n\ is called a probabilistic linear 
duration invariant, shortly PLDI, where V is a linear duration invariant of DC 
and A e [0, 1]. 

PLDI means that the possibility that the real-time requirement D is satisfied 

by the system is equal to or greater than A, even if system runs in the worst case 
[18]. Formal definition of the semantics of PLDI is as follows. 

Definition 6. Let M. = {S, D, L) be a probabilistic real-time automaton and 
[V]-n\ be a PLDI. 

— V is satisfied by TBeh = [pi,ti)(p2,t2)---(pm-,tm)---, denoted by TBeh \= 
V, iff V is satisfied by all finite sub-behaviors {pi,ti){pi+i,ti+i)...{pj,tj) of 
TBeh. Satisfaction relation between {pi,ti){pi+i,ti+i)...{pj,tj) and V was 
defined in Section 2. 

— \p\ux is satisfied by Gtbeh(s), denoted by Gtbeh(s) \= iff the prob- 
ability of the set of paths of Gj^^^jj^^y which satisfy TBeh \= V, is greater 
than or equal to A. 

— Phx is satisfied by Gbeh(s), denoted by Gbeh(s) \= iffGTBEH(s) \= 

for every time-stamped instance Gtbeh(s) of G beh{s)- 

— [V]^x is satisfied by M, denoted by M |= [V]-^x, iff Gbeh(s) \= [D]'^x for 
all s G S. 

3.2 Approximate Technique Checking Probabilistic real-time 

automata for PLDIs 

To decide ^A \= [2?] da approximately, we introduce the notion of probability 
calculation tree of a probabilistic rea-time automaton. 

Definition 7. Let Ad = [S,D,L) be a probabilistic real-time automaton and s 
be a state of A4. The tree constructed according to the following rule is called 
the probability calculation tree with root s and denoted by Tg. 

— Root is labeled with s. 

— Let V be an already constructed vertex with label s'(s S). 

• For each s" satisfying p^i (s") > 0, add new vertex with label s" as a 

child of V. 

• Label Ps'{s") on the edge connecting the vertex with label s' and the vertex 
with label s" . 
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15*1 probability calculation trees are defined for a probabilistic real-time au- 
tomaton Ai — {S,D,L). Two subtrees having same label are isomorphic each 
other in a probability calculation tree. And each subtree of Tg, whose root is 
labeled with s', is isomorphic to the probability calculation tree T,'. 

The right of Fig. 2 shows a probability calculation tree defined from the 
probabilistic real-time automaton of example 3. As we can see in the figure, 
the probability calculation tree is obtained by removing time stamps from a 
Gtbeh(s) ■ That is, the same probability calculation tree Tg is generated from 
every Gtbeh(s)- Probabilistic structure is defined on Tg in the same way with 
subsection 3.1. Tg is used to check Gbeh{s) H I-^Isa- 

For the simplicity of description, we identify each vertex of a probability 
calculation tree with its label. Given a finite sot W of finite paths of Tg. For 
a vertex v of T,, Pw{v) denotes the probability of the set of all infinite paths 
which start from v and do not include any path in W. 

Theorem 1. Given a probability calculation tree Tg and finite set W of finite 
paths ofTg. For each vertex v ofTg, Pw{v) is computable. 

Proof. Let wi,W2, ■■■,w„i be the paths of W, which start from v. And let V = 
Vi,V2, ...jVk be the set which is obtained by eliminating vertices of wi,W2, ...jWm 
from the set of all children of all non-end vertices of wi,W2, ...jWm- Then, the 
following equation holds. 

Pw{v) =p{v,Vi) X Pw{vi) +p{v,V2) X Pw{V2) + ... + p{v,Vk) X Pw{Vk) 

Here p{v, Vi) is the multiplication of probability values labeled on the path from 
V to Vi. In case that there is no path starting from v in W, the following equation 
holds, where vi,V2, ■■■,vi are children of v. 

Pw{v) =Pv{Vl) X Pw{Vl) +Pv{V2) X Pw{v2) + ... + Pv{Vk) X Pw{Vk) 

There arc only finite different vertices in Tg and we can build linear equation 
system consisting of such equations described above. Solving it, we can find the 
value of Pw{v). 

Using Theorem 1, it is possible to decide approximately whether [D]^\ is 
satisfied by M or not. In the rest of this subsection, we describe about it. We get 
real-time automaton A4' from probabilistic real-time automaton M by removing 
transition probability values on all edges. We check A4' \= V using approximate 
model checking technique of section 2.2. If repeated checking does not detect any 
finite time-stamped behaviors violating V in M' , we can conclude M. \= 

Let us now assume that repeated approximate model checking have detected 
some time-stamped behaviors violating 2? in M' . We get finite time-stamped 
behaviors of M by labeling probability values again to all detected time-stamped 
behaviors of A^'. We denote this set by Wq. 

For each Gtbeh(s)-. probability value of the set of behaviors, which start 
from s and do not include finite time-stamped behaviors of Wq as part, is differ- 
ent. What we are interested is the minimum of these probability values. If the 
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minimum is equal to or greater than A, we can conclude \= [Dj^x, that is, 
the possibility that V is satisfied by A4 is approximately greater than or equal 

to A even in the worst case. 

We generate Wq from Wq by expressing each finite time-stamped behavior 
of Wo in the form of path and removing time stamps. Each path of Wq becomes 
a finite path of a probability calculation tree of Ai . The number of elements of 
Wq is smaller than the one of Wq because different time stamps can have same 
transition probability value. 

Finally, we generate W = {wi, W2, Wm} from Wq by eliminating each path 
which include another path. This is because for each calculation tree T^, the set 
of infinite paths including w as a subpath is a subset of the set of infinite paths 
including w' as a subpath. if w includes u/ as a subpath. (Note that it is possible 
to reduce W again for the calculation of Pw{s) in some cases. We don't consider 
about it in this paper and show an example in the next subsection.) 

By applying Theorem 1, we calculate Pwi^i), Pw{s2)t Pw{sn) for each 
state si, S2, Sn of M. If Pw{si) > A for aU i{l < i < n), we can conclude that 
■A4 1= [I^Jda holds approximately. But if Pw{si) < A for some i{l < i < n), it 
means that M. ^ [-DJda- The technique presented in this subsection can be fully 
automated. 

3.3 Experiment and Remark 

Using the technique described above, we decided the satisfaction relation be- 
tween the probabilistic real-time automaton Ai of Example 3 and the probabilis- 
tic linear duration invariant [2?]dA) where I? is £ > 60 —> 19-/ Leak — J NLeak < 
and A is a real number satisfying < A < 1. 

For the convenience of consideration, we bounded checking to the time- 
stamped behaviors whose lengths are not bigger than 8. As a result of 5 re- 
peated application of approximate DC model checking to A4' for V, hundreds 
of time-stamped behaviors violating T> were detected. We constructed Wq and 
Wq according to the method described above. The number of paths of Wq was 
about 70. 

Finally, we generated W from Wq according to the method described above, 
which consists of 4 paths. They are 

0.2 0.2 0.8 0.9 
S2 > S2 > S2 > Si > Si 

0.2 0.2 0.8 0.1 
S2 > S2 > S2 > Si > S2 

0.1 0.2 0.2 0.8 
Si > S2 > S2 > S2 > Si 

0.1 0.2 0.2 0.2 
Si > S2 > S2 > S2 > S2 

We didn't apply the Theorem 1 to in this stage and reduced W again 

2 2 

manually in the following way. 4 paths include S2 S2 — S2 as a subpath. 

Therefore, in each probability calculation tree of A^, the set of infinite paths 
including a path of as a subpath is a subset of the set of infinite paths 
including S2 S2 S2 as a subpath . 



12 



Changil Choe, Dang Van Hung, and Song Han 




I I 
I I 



Fig. 3. Left: Calculation of P\y'{si). Right: Calculation of Pw'is2)- 



On tlie other hand, every infinite behavior of a Gbeh, which passes S2 three 
consecutive times, has a time-stamped instance violating V. These mean that 
we can find an approximate minimum value of the possibility for the satisfaction 
of 2? by corresponding to the worst case, by calculating Pw'{si) and Pw'{s2) 

2 2 

where W = {s2 S2 — ^ 52}- We applied theorem 1 to this W. 

So 2 02 
§2 — ?> §2 — ?> §2 does not start from 

si of Tsj. Therefore, the following equation holds. 

Pw'isi) = 0.9 • Pw'isi) + 0.1 • Pw'{s2) (1) 

In Ts2, the right side of Fig. |3j V consists of two grey-colored si-vertices which 
are children of first two bold lined S2-vertices. Therefore, the following equation 
holds. 

Pw {S2) ^ 0.8 ■Pw'isi) + 0.2- 0.8 -Pw'isi) (2) 
By combining (1) and (2), we set up the following linear equation system. 

f Pw'isi) = 0.9 • Pw'isi) + 0.1 • Pw'{s2) 
{Pw'{s2) = 0.96- Pw'isi) 

Solving this linear equation system, we have known Pw' (si) — Pw (^2) = 0. This 
means that M ^ [P']:3\ for any A(g (0, 1]). In other words, the dependability of 
gas burner for the real-time requirement T) is zero in worst case. 

We tried to make W small as possible, because it can reduce total calculation 
time considerably. In general, it is needed careful analysis about the system 
model and requirement specification to minimize W . It can be skipped if W 
is small. The linear equation system was homogeneous in the above example. 
However, it is not homogeneous in general. 

4 Future Work 

There are no big technical difficulties in adjusting the techniques described in 
the paper to the timed automata [19] and probabilistic timed automata. For the 
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next stage, we want to develop approximate technique checking timed automata 
against undecidablc DC formulas containing chop operator which is not consid- 
ered in normal DC model checking. Discrete measurement operator S (which is 
sometimes denoted by (J) of WDC [21] will be used to represent chop formulas 
quantitatively to be more convenient for checking. For example, a design require- 
ment \Leak] \NLeak] \Leak] ^ £ > 30 of gas burner can be represented as 
ELeak = 2 A SNLeak = 1 — > £ > 30. The latter is much more convenient to 
apply optimization method. 
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